1

I'm learning fwbuilder and firewalls in general. I don't understand the differences between Policy, NAT and Routes. They all seem like they are just ways to tell the data where to go depending on what it is and where its coming from.

What is the real difference? Is a properly configured firewall taking advantage of all three (Policy, NAT and Routes) or are they just three different ways to accomplish the same thing and you only need one of them?

Jake Wilson
  • 8,494
  • 29
  • 94
  • 121

2 Answers2

2

Not familiar with fwbuilder, but they all have more specific meanings in networking, here is how I would define them off the top of my head for general networking:

NAT and PAT:
Changes the IP destination or source and/or the ports in TCP/UDP. The most common uses are so multiple people can share a public IP, or to map public ips to private ips for services.

Policy:
What do with packets that meet certain requirements based on all sort of properties at various network levels. For example, drop them, or send an ICMP message to the requester saying it is closed. Here the primary use is for security to protect your network.

IP Routes:
Decide which interface to send traffic out depending on the destination IP (or possibly more advanced things when you talk about policy based routing). The use here is that this how the internet and most major computer networks work and the higher levels. Generally, NAT happens before routing, so the packet is altered by NAT and then routed according to the result.

General vs. Specific:
Your generalization of "ways to tell the data where to go depending on what it is and where it is coming from" is roughly what "networking" is. To take it to a higher level, to me it is almost like saying "Why are there all these computer words when all they do is move and manipulate data" :-) These terms are all specific aspects of networking which can be a full time vocation.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Let me get this straight: If I wanted someone on the outside to access SSH or http on a specific internal machine, I would use NAT? If our network had two ISP connections both connected to the Firewall, and I wanted certain internal computers to connect to the internet via ISP A and others to use ISP B, I would use Routes? And if I wanted to just control whether certain services that pass through the router are accepted or denied, I use Policy? – Jake Wilson Apr 05 '10 at 20:31
  • SSH from the Outside:This would probably require two things, one that you have NAT/PAT having some port on the public IP map the ssh port for private IP of the server, and then also have a whole in the firewall (policy) open for whatever the public port is. Multihoming: When you have two ISPs (Multihomed internet connection), you will need to have PBR (Policy based routing) to route based the source IP, this is generally considered more advanced networking. Policy: Generally, yes this would be what is permited or blocked, I think it is not to be confused with Policy based routing. – Kyle Brandt Apr 05 '10 at 21:32
  • It sounds to me for the level of stuff you are trying to do, you might want to go learn iptables and fundemental networking well before going into fwbuilder. This will probably give you a better understanding in the long run even it ends up taking a little bit more time. – Kyle Brandt Apr 05 '10 at 21:36
1

Policy, NAT, and Routing are fwbuilder terms.

Policy is equivalent to the iptables filter table, composed of the INPUT, FORWARD, and OUTPUT chains. This simply decides which packets are allowed to traverse the firewall.

NAT is equivalent to the iptables nat table, composed of the PREROUTING, POSTROUTING, and OUTPUT chains. This does collation (DNAT) and scattering (SNAT) of the packet streams.

Routing has no iptables equivalent. It is used for the routing tables of some routers (mostly Cisco).

fwbuilder has no equivalent to the iptables mangle table, which is used to do all sorts of Stupid Packet Tricks that the other two tables may not be capable of or may not be appropriate for.

Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84